Firewall Categories wiped after NAT Outbound Save/Apply (25.7.5–25.7.6)

Started by tcgullett, October 25, 2025, 04:27:10 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 25, 2025, 04:27:10 AM
On OPNsense 25.7.6 (also reproducible on 25.7.5), editing Outbound NAT and clicking Save + Apply causes the Firewall Categories registry to be truncated/removed. Reproducible for me 100%. Also occurring when making changes in the firewall rules.

https://github.com/opnsense/core/issues/9319#issue-3551528582
October 25, 2025, 10:18:51 AM #1
Since this seems to be a serious issue please edit it to follow the mandatory template so it gets developer attention. If you check the history you will find that it was automatically lowered in priority because you deleted the form instead of filling it in properly.

Thank you.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 27, 2025, 04:48:21 PM #2
Since this is a HA it looks like this is a sync issue between the two boxes and the categories are dropped for the correct reasons, just not the expected ones.

Can you show the actual config history diff of the save + apply?

Keep in mind to state if this happens on the master or the backup. Categories also live in MVC code, not in legacy outbound NAT code (and configuration spot) so this interference seems less likely as a general bug concept.


Cheers,
Franco
October 31, 2025, 01:07:07 AM #3
I hope I can provide what you need. I'm very new to OPNsense.

Sync is set to only go from master to backup. All changes that would cause a XMLRPC Sync are from the master.

I've confirmed that any firewall rule change wipes most, but not all, categories, not just NAT changes. Simply editing a rule comment, saving - but not applying - is enough.

Between two normal configuration saves, a trivial rule-description edit triggered firewall_rules_edit.php to rewrite the entire Firewall section and erase most category entries.

--- config-before.xml   2025-10-30 18:31:50
+++ config-after.xml    2025-10-30 18:33:38
@@ -1300,7 +1300,7 @@
-  <descr>AWS Host Access</descr>
+  <descr>AWS Access</descr>
   <direction>in</direction>
   <category>LAN Outbound,Client Computers</category>
   <quick>1</quick>
@@ -1620,8 +1620,8 @@
-  <description>Restored sections (OPNsense.Firewall.Category) of config file</description>
-  <time>1761867110.30</time>
+  <description>/firewall_rules_edit.php made changes</description>
+  <time>1761867218.71</time>
@@ -5200,7 +5200,7 @@
-  <Category version="1.0.0" persisted_at="1761862180.86">
+  <Category version="1.0.0" persisted_at="1761867218.63">
     <categories>
       <category uuid="xxxxxxx-...">
         <name>SYNC</name>
@@ -5210,40 +5210,10 @@
-      <category uuid="...">
-        <name>Networks</name>
-      </category>
-      <category uuid="...">
-        <name>VPN</name>
-      </category>
-      <category uuid="...">
-        <name>ICMP</name>
-      </category>
       <category uuid="...">
         <name>TCP Ports</name>
       </category>
       <category uuid="...">
         <name>Firewall</name>
       </category>
-      <category uuid="...">
-        <name>Apple Devices</name>
-      </category>
-      <category uuid="...">
-        <name>Garage Door Devices</name>
-      </category>
-      <category uuid="...">
-        <name>TV &amp; Streaming</name>
-      </category>
       <category uuid="...">
         <name>Client Computers</name>
       </category>
       <category uuid="...">
         <name>Peripherals</name>
       </category>

The only intentional change was a rule description (AWS Host Access → AWS Access). The GUI save was performed via /firewall_rules_edit.php. Immediately after saving, the <OPNsense><Firewall><Category> node was rewritten. Dozens of category entries vanished—only 5–6 remained.
November 03, 2025, 05:10:16 PM #4
Are these categories shown as is? They do not look like a category created through the GUI.

Here's an example:

Code Select
% pluginctl -g OPNsense.Firewall.Category
{
    "@attributes": {
        "version": "1.0.0"
    },
    "categories": {
        "category": {
            "@attributes": {
                "uuid": "ebdbc9a8-7a43-47e3-b35f-098a77950d5f"
            },
            "name": "Foobar",
            "auto": "0",
            "color": "ff0000"
        }
    }
}
There's both auto and color here.


Cheers,
Franco
Print
Go Up Pages1
User actions